Sessions in PHP+MySQL (very confused!)

[Waccoon]

The big difference between sessions and cookies is that with a session, data is retained on the server, and the session will expire in a fairly short time, making it ideal for secure data transactions, or if someone will use a public computer to access their account.  Only the session number is sent from a member's computer to the server (which, itself, is stored as a cookie).  A cookie has a longer login record (depending on the lifespan you specify), and the data is re-transmitted to the server every time they send an HTTP request.  It's customary to give a member a choice when they log in.

If the ID is stored as a cookie, what would in theory stop the user from modifying the contents of the cookie to another user's ID and assuming their identity? I guess this is made less likely by making the ID string extremely long, but it's still a possibility, right?

The likliness of guessing a random number is virtually nil, but if you use a hash to encode a user name or password (such as MD5, and especially Crypt), it's easy to guess how things work internally and reproduce the hash.  How easy that is depends if your project is open source or not.

People can edit cookies easily.  In fact, Firefox has a number of plugins to directly manipulate POST data on-the-fly.

[Waccoon]

The session ID and data are managed directly by PHP, according to the settings in the php.ini file.  PHP can store the data lots of different ways.  All you have to do is start a session, and PHP will manage all the numbers internally, for every page view.

As if registered globals wasn't enough indication, PHP sessions are just a bit too automatic for their own good, so read the manual carefully before going down this bumpy road.

PHP Sessions
PHP Session functions

There are a few notable problems:

Only one session may be open at a time per member, so if you use frames, you're asking for trouble.  "session_write_close()" exists to ease the pain.

Only one database connection per session.

Redirects do not re-transmit session data.  You have to include the session ID in the redirect URL using "session_id()", or simply the constant "SID", which is defined when a session has been opened.

Also note that you can't really tell if a session is valid or not unless you test a variable with "isset($_SESSION['blah'])".  The function "session_start()" returns TRUE no matter what.  PHP's support for sessions changes all the time, so, like JavaScript, it's a good idea to test that things are valid before you use them, even though almost everything is server-side.